The present invention enables the selection of network routes based on a combination of traditional route table entries, identity policy information, and trust level information determined dynamically for each network session. This enables a network operator to apply different policies to network entities presenting differing identity credentials. It also allows network operators to block access to networks and network resources when identity credentials are not provided or are unauthorized.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method performed by a group of devices comprising the steps of: providing a network; providing a network resource; said network resource being connected to said network; said network resource including an address; providing a Trust Router; said Trust Router being connected to said network; said Trust Router including a route table; said route table having at least one route table entry to a network resource; providing a network client; said network client being connected to said network; conveying, by said network client, a resource request over said network to said Trust Router; said resource request including the address of said network resource; said resource request containing an authentication object; said authentication object including identity information; providing an Identity Policy Group; said Identity Policy Group being located within said Trust Router; providing a Trust Level; said Trust Level being received by said Trust Router; using said identity in said authentication object to authenticate said network client; using, by said Trust Router, said authentication object to determine an Identity Policy Group and said Trust Level; selecting a route table entry that matches the destination address of said resource request and that matches said Identity Policy Group and that matches said Trust Level; identifying, by said Trust Router, a forwarding table entry that matches said destination address of said resource request and said Identity Policy Group and said Trust Level; conveying, by said trust router, said resource request to said network resource via a next hop information in said selected route table entry; and using said Identity Policy Group and said destination address to select a route for said resource request to said address of said network resource.
This invention relates to network routing systems that enhance security by integrating identity-based access control into routing decisions. The problem addressed is the lack of granular control over network traffic based on user or device identity, which can lead to unauthorized access to network resources. The solution involves a Trust Router that uses identity information to determine routing paths and enforce access policies. The system includes a network with connected devices, including a network resource, a Trust Router, and a network client. The Trust Router maintains a route table with entries that map destination addresses to forwarding paths. When a network client sends a resource request to the Trust Router, the request includes an authentication object containing identity information. The Trust Router uses this identity to authenticate the client and determine an Identity Policy Group and a Trust Level. The Trust Router then selects a route table entry that matches the destination address, Identity Policy Group, and Trust Level. The request is forwarded to the network resource via the next hop specified in the selected route table entry. This approach ensures that routing decisions are based on both the destination address and the identity of the requesting client, improving network security by restricting access to authorized users or devices.
2. The method as recited in claim 1 , in which: said resource request is a TCP-SYN packet.
A method for processing network traffic involves detecting and handling resource requests in a communication system. The method addresses the problem of efficiently managing and securing network connections, particularly in environments where unauthorized or excessive resource requests can degrade performance or enable attacks. The method includes receiving a resource request from a client device, analyzing the request to determine its type and origin, and applying predefined rules to either grant, deny, or modify the request based on security policies, load conditions, or other criteria. The method ensures that only legitimate and authorized requests are processed, preventing resource exhaustion and improving network reliability. In a specific implementation, the resource request is a TCP-SYN packet, which is the initial packet in a TCP handshake used to establish a connection. The method examines the TCP-SYN packet to verify its authenticity, check for signs of malicious intent (such as SYN flood attacks), and determine whether the request should be allowed to proceed. This implementation helps mitigate denial-of-service (DoS) attacks by filtering out suspicious or excessive SYN packets before they consume network resources. The method may also log or report the results of the analysis for further monitoring and security enforcement.
3. The method as recited in claim 1 , in which: said authentication object contained in said resource request is a statistical object.
A method for authenticating resource requests in a computing system involves verifying the authenticity of a request by analyzing an authentication object embedded within the request. The authentication object is a statistical object, meaning it contains data derived from statistical analysis rather than traditional cryptographic signatures or tokens. This statistical object is generated based on patterns or distributions observed in legitimate requests, allowing the system to distinguish between authorized and unauthorized requests by comparing the statistical properties of the incoming request against expected patterns. The method includes receiving a resource request containing the statistical object, extracting the object, and performing an authentication process by evaluating the statistical properties of the object against predefined criteria. If the statistical properties match or fall within an acceptable range, the request is deemed authentic and granted access to the requested resource. This approach enhances security by leveraging statistical analysis to detect anomalies or deviations from expected behavior, reducing reliance on traditional authentication mechanisms that may be vulnerable to attacks. The method is particularly useful in systems where cryptographic authentication is impractical or where statistical patterns can provide a robust alternative for verifying request legitimacy.
4. The method as recited in claim 1 , in which: said resource request is an IP packet.
A system and method for processing network resource requests involves analyzing and managing data packets in a communication network. The invention addresses the challenge of efficiently handling resource requests, particularly in scenarios where network traffic must be monitored, filtered, or prioritized. The method includes receiving a resource request, which may be an IP packet, and determining whether the request meets predefined criteria. If the criteria are satisfied, the request is processed according to specific rules, such as allowing, blocking, or modifying the packet. The system may also log the request for further analysis or compliance purposes. The method ensures that network resources are allocated appropriately while maintaining security and performance. The invention is applicable in various network environments, including enterprise networks, cloud computing, and internet service providers, where efficient packet handling is critical for optimal operation. The solution provides a flexible framework for managing network traffic, allowing administrators to define custom rules for handling different types of packets based on their content, source, or destination. This ensures that network resources are used efficiently while preventing unauthorized access or malicious activity.
5. The method as recited in claim 1 , in which: said Trust Level is employed for the purpose of changing access to network resources without changing route table entries.
This invention relates to network security, specifically a method for dynamically adjusting access to network resources based on a Trust Level without modifying route table entries. The system assigns a Trust Level to network entities, such as devices or users, which determines their access permissions. The Trust Level can be adjusted in response to security events, user behavior, or policy changes, allowing for real-time access control without altering the underlying network routing infrastructure. This approach improves security by isolating compromised or untrusted entities while maintaining efficient network operations. The method ensures that access decisions are made based on the current Trust Level, enabling granular control over resource availability without the overhead of updating route tables. This solution is particularly useful in environments where rapid response to security threats is required, such as enterprise networks or cloud computing platforms. By decoupling access control from routing, the system simplifies management and reduces the risk of misconfigurations that could disrupt network traffic. The invention provides a scalable and flexible way to enforce security policies while maintaining network performance.
6. A method comprising the steps of: providing a network; providing a network resource; said network resource being connected to said network; said network resource including an address; providing a Trust Router; said Trust Router being connected to said network; said Trust Router including a route table; said route table including a plurality of route table entries; each of said route table entries including an Identity Policy Group and a Trust Level; providing a network client; said network client being connected to said network; conveying, by said network client, a resource request over said network to said Trust Router; said resource request containing an authentication object; and including a destination address; said authentication object including identity information; using, by said Trust Router, said authentication object to authenticate said network client and determining the associated Identity Policy Group and said associated Trust Level; determining that none of said plurality of route table entries in said route table matches said destination address of said resource request and matches said Identity Policy Group and matches said Trust Level; and discarding said resource request.
This invention relates to network security, specifically a method for controlling access to network resources based on identity and trust levels. The problem addressed is unauthorized access to network resources, where traditional routing mechanisms lack identity-aware filtering capabilities. The method involves a network with a resource, a Trust Router, and a network client. The network resource has an address and is connected to the network. The Trust Router, also connected to the network, maintains a route table with entries that include an Identity Policy Group and a Trust Level. The network client sends a resource request to the Trust Router, containing an authentication object with identity information and a destination address. The Trust Router authenticates the client using the authentication object and determines the client's Identity Policy Group and Trust Level. It then checks if any route table entry matches the destination address, Identity Policy Group, and Trust Level. If no match is found, the request is discarded, preventing unauthorized access. This ensures that only clients with the correct identity and trust level can access specific network resources, enhancing security.
7. The method as recited in claim 6 , in which: said resource request is a TCP-SYN packet.
A system and method for network communication involves processing resource requests in a computing environment. The method includes receiving a resource request from a client device, where the request is formatted as a TCP-SYN packet, which is the initial packet in a TCP connection establishment handshake. The system analyzes the TCP-SYN packet to determine whether the request meets predefined criteria, such as source IP address, port number, or packet payload characteristics. If the criteria are satisfied, the system generates a response to the request, which may include allocating network resources, initiating a service, or forwarding the request to another system component. The method also includes monitoring the resource request for anomalies or security threats, such as suspicious packet patterns or unauthorized access attempts. The system may log the request details for auditing or further analysis. The method ensures efficient and secure handling of TCP-SYN packets, which are critical for establishing reliable network connections while mitigating potential risks like SYN flood attacks. The approach optimizes network performance by dynamically managing resource allocation based on the characteristics of incoming TCP-SYN packets.
8. The method as recited in claim 6 , in which: said authentication object contained in said resource request is a statistical object.
A system and method for secure resource access control involves authenticating requests for digital resources using statistical objects. The method processes a resource request containing an authentication object, which is a statistical object derived from a statistical analysis of user behavior or system data. This statistical object serves as a dynamic authentication credential, replacing or supplementing traditional static credentials like passwords or tokens. The system verifies the statistical object by comparing it against a reference statistical model or dataset stored in a secure database. If the statistical object matches or falls within an acceptable range of the reference model, the resource request is authenticated, and access to the requested resource is granted. If not, the request is denied. The statistical object may be generated using machine learning algorithms that analyze patterns in user behavior, system logs, or other relevant data. This approach enhances security by making authentication dynamic and context-aware, reducing the risk of unauthorized access through static credential theft or brute-force attacks. The system may also adapt the statistical model over time based on new data to improve accuracy and security.
9. The method as recited in claim 6 , in which: said resource request is a IP packet.
The invention relates to network communication systems, specifically methods for processing resource requests in a network environment. The problem addressed is the efficient handling of resource requests, particularly in scenarios where requests are transmitted as IP packets. The method involves receiving a resource request in the form of an IP packet, which contains data identifying the requested resource. The system then processes this request by determining the appropriate resource based on the packet's content. This may include analyzing packet headers, payload data, or other embedded information to identify the requested resource. The method further involves routing the request to the correct resource or service within the network, ensuring proper delivery and processing. The system may also validate the request, check for authorization, or perform other pre-processing steps before forwarding it. The invention aims to improve the accuracy and efficiency of resource request handling in networked systems, particularly when dealing with IP-based communications. The method can be applied in various network architectures, including client-server models, distributed systems, or cloud-based environments, to enhance resource allocation and management.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 15, 2018
March 1, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.